RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Finding Differential Patterns
for the Wang Attack
Magnus Daum
CITS – Cryptology and IT-Security
Faculty of Mathematics
Ruhr University Bochum
Motivation
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Crypto ’04 (Wang et al.):
actual collisions for various hash functions
• E.g. for MD5:
M21:
02dd31d1 c4eee6c5 069a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8
0634ad55 02b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780
313e82d8
d11d0b96 5b8f3456
9c7b41dc d4ac6dae
f497d8e4 c619c936
d555655a b4e253dd
c79a7335 fd03da87
0cfdebf0 06633902
66f12930 a0cd48d2
8fb109d1
42339fe9
797f2775 e87e570f
eb5cd530 70b654ce
baade822 1e0da880
5c15cc79 bc2198c6
ddcb74ed 9383a8b6
6dd3c55f 2b65f996
d80a9bb1 702af76f
e3a7cc35
M21‘:
02dd31d1 c4eee6c5 069a3d69 5cf9af98 07b5ca2f ab7e4612 3e580440 897ffbb8
0634ad55 02b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780
313e82d8
d11d0b96 5b8f3456
9c7b41dc d4ac6dae
f497d8e4 c619c936
d555655a 34e253dd
479a7335 fd03da87
0cfdebf0 06633902
66f12930 a0cd48d2
8fb109d1
42339fe9
797f2775 e87e570f
eb5cd530 70b654ce
baade822 1e0d2880
5c154c79 bc2198c6
ddcb74ed 9383a8b6
6dd3c55f ab65f996
580a9bb1 702af76f
e3a7cc35
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
2
Motivation
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Lenstra/Wang/de Weger:
colliding (w.r.t. MD5) X.509 certificates
• Differing part:
42e7b9ca 8726b6c4 24a51ab9 c1056b84 93fb9588 9fa6e965 ff920348 793f3b2c
0634ad41 03b4adff 7a844bdf 4f01374d cb8332db a86fd419 b3c665a7 30bf16f0
2e7cff6a 9b687357 15b83319 f5e7ab64 c566cfb9 0c79fee4 367d04ee aeb077cc
307f085d 88eb60b5 404d72b3 2d667867 676484d8 809bbd7d 4ff29e98 a30e2eb8
42e7b9ca 8726b6c4 24a51ab9 c1056b84 13fb9588 9fa6e965 ff920348 793f3b2c
0634ad41 03b4adff 7a844bdf 4f01b74d cb8332db a86fd419 33c665a7 30bf16f0
2e7cff6a 9b687357 15b83319 f5e7ab64 4566cfb9 0c79fee4 367d04ee aeb077cc
307f085d 88eb60b5 404d72b3 2d65f867 676484d8 809bbd7d cff29e98 a30e2eb8
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
3
Motivation
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Other actual collisions published (Klima,
Lucks/D.) show the same characteristics
• Reason: Attack applies a special differential
pattern with fixed input differences
(M0,…,M15) = (0,0,0,0,231,…,§ 215,…,231,0)
• Considered bytewise these are only differences
in the most significant bit
• May be a problem in certain applications,
e.g. when trying to find colliding ASCII texts
► Possible to use other input difference patterns?
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
4
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Wang‘s Attack
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
5
RuhrUniversität
Bochum
Wang‘s Attack
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Differential attack with modular differences
(i.e. differences with respect to addition modulo 232)
• Starts from a given/chosen message and
modifies its bits to produce a collision
• Two main parts:
?
– Choosing the differential pattern (done by hand)
– Single-Step and Multi-Step Modifications
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
6
Choosing
the Differential Pattern
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Not much is known about how Wang actually
found this pattern used in all the
implementations
• Wang: „intuitively“ and „by hand“
• Some ideas can be reconstructed by looking
at what is happening during the attack
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
7
Attack on MD5
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
W4= 231
W14= 231
W15=-215
W18=-215
W23= 231
W25= 231
W34=-215
W35= 231
W36= 0
W37= 231
W50= 231
W60= 231
W61=-215
23.06.2005
• Construction of the pattern starts
in last rounds
• design of MD5 allows differential
pattern for round 3+4 which leads
to a useful near-collision
• Input differences are chosen
such that this difference
propagation happens with high
probability
• Look for conditions on register
values which make the difference
propagation in first two rounds
possible
Daum - Finding Differential Patterns for the Wang Attack
9
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Step Operation in MD5
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
10
RuhrUniversität
Bochum
MD5
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Message expansion by
roundwise permutations
of the Mi (four rounds)
23.06.2005
• Step operation:
Daum - Finding Differential Patterns for the Wang Attack
12
RuhrUniversität
Bochum
MD5
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Step operation:
Kt,st: constants
Wt: message words
f: bitwise defined
Boolean function
Rt: new content of register
changed in step t
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
13
Step Operation
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Advantage of considering modular
differences:
• Most operations used in the step operation
have a deterministic propagation of modular
differences
• Analyse the other parts:
– Bit rotations
– Bitwise defined functions
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
14
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Difference Propagation
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
15
RuhrUniversität
Bochum
Various Differences
Fakultät für Mathematik
Informationssicherheit und Kryptologie
bitwise (XOR) differences:
?
modular differences:
uniquely
determined
signed bitwise differences:
• differences usually low weight:
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
16
RuhrUniversität
Bochum
Various Differences
Fakultät für Mathematik
Informationssicherheit und Kryptologie
signed bitwise differences
modular differences
• Special case:
• Depends on actual value of x:
• For fixed +x=[k]:
• Can be generalized to other differences
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
17
Difference Propagation:
Bitwise Functions
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
?
• f is applied bitwise
-> modular differences are not very useful
• transform to signed bitwise diff.
• propagation of signed bitwise differences can be
analysed easily
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
18
Difference Propagation:
Bitwise Functions
23.06.2005
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Daum - Finding Differential Patterns for the Wang Attack
19
Difference Propagation:
Bitwise Functions
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
?
• f is applied bitwise
-> modular differences are not very useful
• transform to signed bitwise diff.
• propagation of signed bitwise differences can be
analysed easily
-> possible values for
together with
corresponding conditions for each of the cases
• corresponding modular differences
are uniquely determined
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
20
Bit Rotation
and Modular Addition
23.06.2005
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Daum - Finding Differential Patterns for the Wang Attack
21
Bit Rotation
and Modular Addition
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
A random, B fixed:
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
22
Difference Propagation:
Bit Rotations
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Register R with a fixed difference +R =[t]
• A=R, B=+R:
• Applying the Theorem described earlier yields
for t<n-s:
for t¸n-s:
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
23
Example: Analysis of
Difference Propagation
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• taken from first round of MD4
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
24
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Automated Searching
of such Differential Patterns
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
25
Degrees of Freedom
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Choices when constructing such patterns:
– (Input differences Wi)
– Bitwise function:
1-3 choices per nonzero bit
• Bit
Bits29:
22,25:
31:
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
26
Degrees of Freedom
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Choices when constructing such patterns:
– (Input differences Wi)
– Bitwise function:
1-3 choices per nonzero bit
– Bit rotation: 4 choices in general
(but usually one dominant case)
– Assumptions on bitwise differences
(“expand“ differences)
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
27
Example: Analysis of
Difference Propagation
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• taken from first round of MD4
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
28
Degrees of Freedom
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Choices when constructing such patterns:
– (Input differences Wi)
– Bitwise function:
1-3 choices per nonzero bit
– Bit rotation: 4 choices in general
(but usually one dominant case)
– Assumptions on bitwise differences
(“expand“ differences)
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
29
Searching
for Differential Patterns
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Idea: build trees of difference patterns
• Each vertex represents a possible state of
differences, e.g.
• Possible differences resulting after following step are
computable
– Leads to several new vertices -> pruning necessary
• For the pruning use a cost function depending on the
following properties:
– Probability that this difference state is actually achieved
– Weights of the differences
– Distance from the root of the tree
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
30
Finding Useful Patterns
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Additional constraints for useful patterns,
e.g. start and end with zero differences
a)Trivial solution: take root with zero differences and add
new vertices till a vertex with zero differences is found
b)Build two trees, one goind foreward, one going backward
Fix a layer corresponding to some step and look for
common vertices
c) Two trees as above, but stop some steps before fixed
layer, find connection by solving additional equations
• Has not been fully tested up to now
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
31
Conclusion
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
• Some analysis of background of Wang‘s
attack
• Theoretical basis for analysing the
propagation of modular differences
• Ideas for automatically finding useful
difference patterns
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
32
RuhrUniversität
Bochum
Fakultät für Mathematik
Informationssicherheit und Kryptologie
Thank you!
Questions???
23.06.2005
Daum - Finding Differential Patterns for the Wang Attack
33